From owner-freebsd-security@freebsd.org Wed Jul 24 20:17:18 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B9E07B747E for ; Wed, 24 Jul 2019 20:17:18 +0000 (UTC) (envelope-from aaron@heyaaron.com) Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C102671EBD for ; Wed, 24 Jul 2019 20:17:17 +0000 (UTC) (envelope-from aaron@heyaaron.com) Received: by mail-vs1-xe36.google.com with SMTP id j26so32223089vsn.10 for ; Wed, 24 Jul 2019 13:17:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1VlyWO1lpEsJ/7K53qpFhM767E64O0fDyUuKyMN29hY=; b=Nmn5RSMp2ZetIVQH/CAZ4TvUYagY3ZAR19597zZ5YrTrfzM3BYV+mEOH285SzGY/PD L8L6i/9Wgk/uyiOmXtP90AmtVjfQXIIwAaYaaJLq6bssCHmAHFkMKJt1xYRFLzn3Fk/Q EISfN/k9d9pu5KK0QIMH0v6rn+LmF5V7ySiBuJ7C6NJp14qVkZwPBkaAUkYU5uctzDnK E+3tN3+7p3gQrZhfAyRc+UjWlzSyVU2ZpYDxgB5rmIVBozPJOTbNPp19kl/IdwuAGJW7 2xXYIm51uNthj8dyUo6EcdWJLvONwcAPrBVIMUC++lZHVBOQ85ml0Y6sefXCzrj7WmRW Lu1A== X-Gm-Message-State: APjAAAUqfCGzz/o8BpwKw4hWDUzYzFsEwfewQq0g6y0MWmDOU+hOKMeF g+PRR0gbXUIno7jNI2wMS5jKIafcl2I4gzlbfTeqFg== X-Google-Smtp-Source: APXvYqxogIgff5Nk2LkaudKrFVyFBbyy7XCAq75whn/ctWUzFCpKKr/X1alsG1gWyJCEtJoIyp3wG1LUs+crLGx2evQ= X-Received: by 2002:a67:c994:: with SMTP id y20mr53712510vsk.231.1563999436793; Wed, 24 Jul 2019 13:17:16 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Aaron C. de Bruyn" Date: Wed, 24 Jul 2019 13:17:00 -0700 Message-ID: Subject: Re: Old Stuff To: Robert Simmons Cc: Luke Crooks , freebsd-security@freebsd.org X-Rspamd-Queue-Id: C102671EBD X-Spamd-Bar: ------- X-Spamd-Result: default: False [-7.01 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[heyaaron.com:s=201609]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[heyaaron.com:+]; RCVD_IN_DNSWL_NONE(0.00)[6.3.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.94)[-0.944,0]; DMARC_POLICY_ALLOW(-0.50)[heyaaron.com,reject]; IP_SCORE(-3.06)[ip: (-9.71), ipnet: 2607:f8b0::/32(-3.09), asn: 15169(-2.43), country: US(-0.05)]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 20:17:18 -0000 On Wed, Jul 24, 2019 at 12:09 PM Robert Simmons wrote: > Yes, to reduce the code base complexity so that resources can be focused > on a smaller code base. > That seems like several completely different arguments. Codebase complexity, available resources, and "a smaller code base". So why does removing telnet and FTP solve or partially solve codebase complexity whereas removing sh or curl not solve the problem? As for available resources, is that currently a problem? Is there no telnet or FTP maintainer? Are they complaining they're overworked with a flood of changes to the telnet protocol (have there been any changes in the last 2 decades)? Why is "a smaller code base" a goal? Shouldn't it be more along the lines of "the smallest most efficient code base necessary to support feature x, use-case y, or project z"? I'm being a bit snarky with this, but you could solve all the problems you listed by distributing an OS that simply had an 'ls' command and that's it. No login. No vi. No video support. No nothing. It just boots to a prompt and allows you to type 'ls'. Much smaller codebase, less complexity, tons of resources for a very small project. Maybe I misunderstood based on Stephen's earlier reply though. If the case is simply removing it from the base to ports, I would have less of an issue. It means a bit more work on my end, but at least the functionality is available. I would think it would have a minor impact on users coming over from Windows, Linux, or other BSDs with the former two being less inclined to dive in and compile from source or even know/understand ports initially. -A